Entra's Cross-tenant Access Settings, Part 3: How to optimize end-user experiences and privacy

Reading Time: 6 minutes

Microsoft Entra ID

Entra External ID, Microsoft's Business to Business (B2B) collaboration feature, has recently gained significant functionality to customize the end-user experience when people in the organization collaborate in Entra-integrated functionality, when this functionality is integrated in the Entra tenant of another organization.

In this  series of blogposts, I share how Entra's Cross-tenant Access Settings can be used to optimize the end-user experience. This information is useful both for Entra administrators who have people collaborating in another tenant and for Entra admins who have guest accounts in their tenant to facilitate access to their functionality.

Note:
In this series, I merely talk about the Entra External ID functionality that is based on Entra to Entra collaboration.

The first post in this series defined the settings. In the second blogpost I explained how to manage common B2B collaboration scenarios. Today, it's time to optimize the experience and privacy exposure of end-users in your organization.

 

The default redemption process

By default, when a person in your organization is invited to collaborate by a person in another organization using Entra, the process looks like this:

Entra External ID Default Flow (click for larger image)

 

The flow is triggered by a person or admin in the third party organization when he, she or they invite a person from your organization. Entra ID automatically creates a guest account if the DNS domain name of your organization is allowed to send invitation to. Then, an invitation is sent. The person in your organization receives the invitation and clicks on the link to get access to the shared functionality. This triggers an update to the guest account, as the invitation has been redeemed. In the Entra tenant of the third party organization, the person then needs to provide consent to his, her or their data. Then, multi-factor authentication (MFA) registration is required in the third party Entra tenant. The MFA registration is subsequently stored in the guest account. Then, the person can access the shared functionality.

 

How Cross-tenant access settings can be used to optimize the end-user experience

Cross-tenant access settings can modify the way end-users in your organization collaborate.

The External collaboration settings pane in Entra, and the Sharing Policies in SharePoint Online both offer options to limit the organizations where people in your organization can send invitations to. Cross-tenant access settings is the only pane where admins (of other Entra tenants) can configure the way people in your organization can redeem invitations and how they sign in to collaborate.

Making your MFA methods work in partner organizations

With default settings, when people in your organization get invited by partner organizations, when they first sign in, they need to register a multi-factor authentication (MFA) method to use in the Entra tenant for the partner organization. This is a change that is in effect since last year, that may have already prompted a change in your organization's guest access processes in the context of Entra External ID.

In this case, the flow is changed to the following flow:

Entra External ID flow without registering Multi-factor Authentication (click for larger image)

From a privacy and security point of view, you might want to have a partner organization trust the multi-factor authentication (MFA) methods that people in your organizations have registered when they access resources in partner organizations. This prevents people in your organization provide personally identifiable information (PII) like their phone number to another organization, outside of the control of your organization. In the processing agreement, terms of conditions, terms of use and/or security agreement and/or security addendum with the partner organization:

  • Agree upon multi-factor authentication (MFA) methods that are allowed for both organizations.

Tip!
Agree upon allowing and/or requiring phishing-resistent MFA methods and blocking phone- and/or text message-based methods, wherever possible.

  • Request an admin to perform the following steps:
    • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
    • In the left navigation pane, expand the External Identities  menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
    • Click the Organizational settings tab.
    • Under Organizational settings, follow the + Add organization link to onboard your organizations by specifying your organization's DNS domain names or tenant IDs.
    • After onboarding, for your organization n the list of organizations, under Inbound access, click the Inherited from default link. This takes you to the Outbound access settings pane for your organization.
    • Click the Trust settings tab.
    • Select the Customize settings option to deviate from the Default settings.
    • Select the Trust multifactor authentication from Microsoft Entra tenants option.
    • Click Save at the bottom
  • Optionally, request an admin to perform the following steps:
    • Configure a dynamic group that includes all guest users from your organization and configure this group as the scope for a Conditional Access policy to require phishing-resistant multi-factor authentication using the Require authentication strength option as the Grant option.

Making your device compliance work in partner organizations

With default settings, when people in your organization get invited by partner organizations, when they sign in, their device compliance is not used for authorization decisions in Conditional Access settings in the Entra tenant for the partner organization. From a security point of view, you might want to have a partner organization require device compliance to allow access for people in your organization. Device compliance is a strong security requirement that allows for a more holistic access approach beyond merely requiring multi-factor authentication 'at the gate'.

This does not change the flow from the point of view of a person in your organization.

Note:
Each partner organization that you work with on device compliance as a security measure needs Entra Premium licenses to use Dynamic Groups and Conditional Access.

In the processing agreement, terms of conditions, terms of use and/or security agreement and/or security addendum with the partner organization:

  • Agree upon device compliance as a security measure between your organizations.
  • Request an admin to perform the following steps:
    • Sign in to the Entra portal. Perform multi-factor authentication when prompted.
    • In the left navigation pane, expand the External Identities menu node and click the Cross-tenant access settings node in the Entra portal. This takes you to the External Identities | Cross-tenant access settings pane.
      • Click the Organizational settings tab.
      • Under Organizational settings, follow the + Add organization link to onboard your organizations by specifying your organization's DNS domain names or tenant IDs.
      • After onboarding, for your organization n the list of organizations, under Inbound access, click the Inherited from default link. This takes you to the Outbound access settings pane for your organization.
      • Click the Trust settings tab.
      • Select the Customize settings option to deviate from the Default settings.
      • Select the Trust compliant devices option.
      • Click Save at the bottom.
    • In the left navigation menu, expand the Groups menu node and click the All groups menu item. This takes you to the Groups | all groups pane.
      • Follow the + New group link. This takes you to the New Group pane.
      • Enter a Group Name.
      • Change the Membership type from Assigned to Dynamic User.
      • Follow the Add dynamic query link. This takes you to the Dynamic membership rules pane.
      • In the table of rules, in the Property column, select the userPrincipalName attribute. In the Operator column, select the Match operator. In the Value column, customize domaintld in the following string for your organization to match your domain.tld DNS domain name (without dots):

_domaintld#EXT#@

      • Click outside of the Value field and then click Save at the top of the Dynamic membership rules pane. This takes you back to the New Group pane.
      • Click Create at the bottom of the New Group pane.
    • In the left navigation menu, expand the Protection menu node and click Conditional Access. This takes you to the Conditional Access | Overview pane.

Tip!
The steps below create a new Conditional Access policy. When a policy has already been created for other partner organizations, edit that policy to include the additional dynamic group in its scope instead of creating a new policy. This avoids reaching the current limit of 195 Conditional Access policies per Entra tenant.

      • Click + Create new policy. this takes you to the New pane.
      • Enter a Name for the Conditional Access policy.
      • Under Assignments and then Users, follow the 0 users and groups selected link. Under Include, select Select users and groups and then Users and groups. The Select users and groups blade appears.
      • Select the group created earlier for the partner organization and click Select at the bottom of the blade.
      • Under Assignments and then Target resources, follow the No target resources selected link. Under Include, select All cloud apps.
      • Under Access controls and then Grant, follow the 0 controls selected link. The Grant blade appears. Select the Require device to be marked as complement option and click Select at the bottom of the blade.
      • At the bottom of the pane, under Enable policy, select On. Then, click Create.

 

Concluding

If security and privacy concerns govern the way your organization does B2B collaboration, Entra's cross-tenant access settings allow for optimizing it throughout the supply chain.

Take advantage, today!

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.